Canadian charged as encrypted network allegedly used by criminals disrupted, equipment from Huawei and others called risky to US networks, and updates for Chrome browser, Netgear and Linux.
Welcome to Cyber Security Today. It’s Monday March 15th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The chief executive and a former distributor of a Canadian firm that allegedly installed sophisticated encryption software in smartphones used by criminals for communications have been indicted by a U.S. grand jury. Jean-Francois Eap of Sky Global, as well as a former distributor of the company devices, were charged with allegedly conspiring to violate the U.S. Racketeer Influenced and Corrupt Organizations law, known as the RICO act. Warrants have been issued for their arrest. Sky Global devices allegedly connected to the encrypted Sky ECC messaging app. It was the second international move to disrupt and possibly shut communications claimed to be used by crooks.
As I reported on Friday morning’s podcast, last week police in Belgium and the Netherlands arrested people and made seizures in an effort to cripple alleged criminal use of the Sky ECC network. The American indictment alleges Sky Global’s purpose was to help criminals communicate for the distribution of drugs and for money laundering. It is alleged Sky Global had a policy of not asking device buyers what they were doing with their smartphones. The U.S. Justice department statement says an international effort including Canadian authorities have seized Sky Global’s infrastructure.
Products from five Chinese-based makers of equipment have been listed as posing an unacceptable risk to U.S. national security if used in critical infrastructure. They are from network equipment makers Huawei Technologies and ZTE Corporation, and video surveillance manufacturers Hyterra Communications, Hangzhou Hikvision Digital Technology and Dahua Technology.
Some security updates to tell you about:
If you’re using the Google Chrome browser, make sure it’s running the latest security update. It fixes five security bugs.
Networks administrators with certain models of Netgear Gigabit Plus GS or JGS switches should make sure they’ve installed the latest security updates. This comes after security firm NCC Group found a number of vulnerabilities. Some bugs may not be fixed by updates and may have to be dealt with by mitigations.
IT administrators with Linux servers should investigate whether their systems are vulnerable to three recently discovered vulnerabilities. They date back to a 15-year old bug in the Linux kernel. The vulnerabilities could lead to hackers getting into servers. Patches are available from Linux distributions. There’s a link here to the complex explanation of this issue.
One year after it spotted suspicious activity on its network, a Florida law firm is notifying clients their personal information may have been copied. The firm of Sachs, Caplan said Friday that on February 26, 2020 it noticed something odd. After investigating it realized someone accessed some of its systems and email accounts in January and February of that year. Exactly what the law firm doesn’t know. But it may include names, Social Security numbers, dates of birth, copies of police reports and photocopies of government-issued ID. Out of an abundance of caution, 12 months later, it’s letting clients know.
Finally, another one of those ‘oopsy’ mass email message mistakes to tell you about: A county health department in New York State sent out hundreds of emails last month to people eligible for COVID-19 vaccines, with each getting a message able to see the email address of everyone else on the list. An employee sending out the mass emails put everyone’s address in the ‘CC’ part of the message, which stands for Carbon Copy. They should have been put in the ‘BCC’ section. That stands for Blind Carbon Copy — ‘Blind’ meaning recipients can’t read other email addresses on the list. This mistake was done three times last month. Just over 900 people were on the list. The only personal information other than an email address was that everyone notified was eligible to make an appointment for the vaccine. But it still qualified as a breach under the U.S. federal health information protection law.
That’s it for today. Links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon